Compliance
Protecting your data is paramount in today’s business climate. At Identity Automation, we’re committed to your success. Our ability to deliver continuous innovation, unmatched customer support, and the best value in the industry that has led to an unmatched record of customer success. Our team has been helping customers meet compliance standards since 2004, with over 1,000 successful implementations and renewal rates of over 98%. Learn more about Identity Automation’s Compliance and Certifications for the following standards.
VPAT
A Voluntary Product Accessibility Template (VPAT) is a document that allows your company or organization to provide a comprehensive analysis of conformance to accessibility standards set by Section 508 of the Rehabilitation Act.
“A Voluntary Product Accessibility Template (VPAT™) is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility. VPATs™ help Federal agency contracting officials and government buyers to assess ICT for accessibility when doing market research and evaluating proposals.”*
The VPAT was created by the Information Technology Industry Council so that contracting officials and purchasers could make preliminary assessments on information technology products and service offerings. Therefore, a VPAT can be a critical component of the RFP process for any organization (private or government) where accessibility and Section 508 compliance is a key element.
To download our Rapididentity Accessibility Conformance Report, click here.
Click here to learn more.
*source: www.section508.gov
FERPA
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information.
The Family Educational Rights and Privacy Act of 1974 (FERPA) governs access and release of student records. FERPA applies to elementary, secondary, and postsecondary institutions. Institutions that receive federal funding are required to comply with FERPA or risk losing their funding.
FERPA defines three types of information: educational information, PII, and ‘non-directory’. Non-directory information and PII cannot be released to anyone without a student’s written consent. Faculty and staff can only access non-directory information when there is a legitimate academic reason. Non-directory information includes records relating to a student’s Social Security number, school identification number, race, ethnicity, nationality, gender, and transcripts. Directory information does not require signed, written consent prior to its release.
Click here to learn more.
COPPA
The Children’s Online Privacy Protection Act (COPPA) is a law that requires parental consent for the collection or use of any personal information of young Web site users (13 and under).
“When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13.”*
The FTC provides a six-step process to determine if your company is covered by COPPA:
- Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
- Step 2: Post a Privacy Policy that Complies with COPPA.
- Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
- Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
- Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
- Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
- Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
Click here to learn more.
*source: www.ftcj.gov
SOC II
A SOC 2 Type 2 report is a report that captures an organization’s internal safeguards for customer data stored in the cloud as well as a measure of safeguard effectiveness.
SOC 2 applies to technology-based service organizations that store customer data in the cloud. A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a system.
SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform.
There are many other similarities between SOC II Type I and SOC 2 Type II reports, but the key difference is that a SOC 2 Type I report is a confirmation of controls at one specific time, whereas a SOC 2 Type II report is a confirmation of controls over a minimum six-month period. The SOC 2 Type I reports on the description of controls, that they are detailed and correspondingly deployed. The SOC 2 Type II reports primarily on the effectiveness of the controls.
To request our Soc2 compliance report, click here.
CJIS Security Policy
CJIS Security Policy sets standards for data security and encryption for criminal justice and law enforcement entities.
“The essential premise of the Criminal Justice Information Services (CJIS) Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.”*
Criminal Justice Information (CJI) refers to data necessary for law enforcement and civil agencies to perform their duty. Examples of CJI data include biometric data (DNA, fingerprints, etc.), identity history data (history of criminal and/or civil events regarding the individual), personal data, property data, and case history.
Click here to learn more.
*source: FBI.gov
WCAG
The Web Content Accessibility Guidelines (WCAG) 2.0 provide recommendations for making Web content more accessible.
Web Content Accessibility Guidelines (WCAG) was developed with a vision of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. Specifically, the WCAG details how to make web content more accessible to people with disabilities. Web “content” generally refers to the information in a web page or web application, including natural information such as text, images, and sounds or code/markup that define structure, presentation, etc.
Identity Automation conforms to WCAG 2.0.
Click here to learn more.
HECVAT
The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk.
The Higher Education Community Vendor Assessment Tool (HECVAT) was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC.
The HECVAT tool is used to measure a 3rd party vendor’s compliance level to ensure that cybersecurity policies are in place to protect students/faculty/staff Personally identifiable information (PII) and sensitive Institutional information.
HECVAT enables a consistent, easily-adopted methodology for Higher Ed organizations wishing to reduce costs through cloud services without increasing risks.
To download our Higher Education Community Vendor Assessment Tool, click here.
Click here to learn more.
NY 2 ED
NY Education Law 2-D was enacted to foster privacy and security of personally identifiable information (PII) of students and certain PII related to classroom teachers and principals.
The guidance provided by NY EdLaw 2-D seeks to address the risks that digital workflows have introduced. Following the NIST Cybersecurity Framework, NY EdLaw 2-D explicitly states that a data security program should include “data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.”
Further, the regulation requires that when a parent or student requests education records, “safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred”. Also, all third-party contractors who receive PII, or any subcontractee engaged by a third-party contractor, must “use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
Click here to learn more.
TX-RAMP
The Texas Risk and Authorization Management Program (TX-RAMP) is a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency. Identity Automation's RapidIdentity Cloud has achieved Level 2 TXRamp Status.
The Texas Risk and Authorization Management Program (TX-RAMP) is a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency, institution of higher education, and public community college.
TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements.
Identity Automation achieved provisional status in 2022 and is anticipating full certification in 2023 after achieving StateRAMP status.
Click here to learn more.
SECURITY & VULNERABILITY PROCESS
At Identity Automation, we take the security of the service offering very seriously. We know your organization relies on us to protect the integrity of your Identity & Access solution. Protection begins with the way we develop our products and services and is codified in our Secure Software Development Lifecycle. Our process incorporates rigorous thought from the inception of a feature to its deployment – we incorporate many defense-at-depth practices – including architectural & design review, peer review, threat modeling, tabletop exercises, security analysis in our code integration and deployment pipelines as well as internal & external penetration testing. This rigorous and continual process is designed to provide you with the highest level of assurance regarding our services. If you have any questions or concerns feel free to contact us at security@identityautomation.com. We are happy to field any questions about our defense at depth practices as well as any reports of vulnerabilities in the solution. To download a copy of our RapidIdentity Architecture, click here.